tags:

views:

34

answers:

2
+1  Q: 

Best way to restict actions (edit/delete) with Ruby on Rails and Devise

I am fairly new to Ruby On Rails and right now I am doing a simple app. In this app a user can create many items and I use devise for authentication. Ofcourse I want to make sure that you are the owner in order to delete items (Teams, Players etc) and the way I do it now is:

def destroy
    @team = Team.find(params[:id])
    if current_user.id == @team.user_id 
      @team.destroy    
      redirect_to(teams_url, :notice => 'The team was deleted.')
    else
      redirect_to root_path
    end      
end

Is this the best way? I was thinking about putting a method in the model but I am not sure I can access current_user from there. I was also thinking about a before_filer, something like:

before_filter :check_ownership, :only => [:destroy, :update]

I that case and if I want to code only one method for all objects (all objects this relates to have a "user_id"-field)

Thanks in advance

+1  A: 

In my application controller I put:

before_filter :authorize

def authorize
  false # Or use code here to check if user is admin or not
end

Then I override the authorize method in my actual controller to allow access to various actions.

John Drummond  2010-09-30 20:02:50
Yeah, I do this to. Users that are not signed in can use Index/Show. To create you have to be signed in. But the question was how to check if an object that is about to be destroyed or edited really belongs to the user or the action is done by a admin.
Staffan Jonsson  2010-09-30 20:22:21
To make sure the user can only edit the items they own I do:@team = current_user.teams.find( params[:id] )I usually do a separate set of controllers for administration functions.
John Drummond  2010-09-30 20:55:55
I have to try that. That seems like a good solution.
Staffan Jonsson  2010-09-30 22:25:41
A: 

You're looking for an authorization solution on top of your authentication (devise)

You can't access current user in the model no. I've had a fair amount of success using Makandra's Aegis for authorization. It allows you to create roles specify permissions attributed to each role. The docs are pretty good and I know it works fine with Devise, it's pretty agnostic that way, I've also used it with Clearance. It also passes an implicit "current_user" to your permissions so you can specify and check that your current user can take appropriate actions.

brad  2010-09-30 20:03:18

related questions

Is there a rake task for backing up the data in your database?
How to represent cross-model information in MVC?
WYSIWYG editor gem for Rails?
Best Solution For Authentication in Ruby on Rails
Acts-as-readable Rails plugin Issue
Associating source and search keywords with account creation
Any tips on getting Rails to run with an Access back-end?
Being as DRY as possible in a Ruby on Rails App
How Do You Secure database.yml?
What IDE to use for developing in Ruby on Rails on windows?
Is Ruby On Rails ready for the Enterprise?
OpenID authentication in Ruby on Rails
Why Doesn't My Cron Job Work Properly?
Why does sqlite3-ruby-1.2.2 not work on OS X?
Ruby mixins and calling super methods
Why all the Active Record hate?
Haml: how do I set a dymanic class value?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Ruby On Rails with Windows Vista - Best Setup?
What is good forum software to add to an existing Rails application?
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.